Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.
Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
<(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
For aconfigd test, for atest to work, the shell domain needs to be able
to connect to aconfigd_socket. In addition, aconfigd needs to be able to
access the test storage files as shell_data_file. All these policies are
only needed for userdebug_or_eng build.
Bug: 312459182
Test: m, launch avd, atest, then audit2allow, no avc denials found
Change-Id: Ifb369f7e0000dfe35305fe976e330fa516ff440c
Found when making the tests for permissive MTE, which are part of the
CTS test suite because I really, really don't want to fork hundreds of
lines of Java glue. But, CTS tests aren't supposed to only run on rooted
devices (even though there's examples of this in the tree already).
I think either way, ideologically, we should allow non-root users to
enable permissive MTE. This would be useful for a person who wants to
dogfood MTE with all apps on, but use a retail build. I can think of at
least a few researchers that would probably find this useful.
Bug: 328793166
Test: adb unroot && adb shell setprop persist.sys.mte.permissive 1
Change-Id: Ie905e23c9600986cb436e1cc7490e28678710696
This defines the kcmdline_prop context for properties controlled by
kcmdlinectrl, and defines a property called kcmdline.binder for
switching between the Rust and C implementations of the Binder driver.
It is intended that additional kcmdline properties introduced in the
future would share the same kcmdline_prop context.
Test: Verified that setprop/getprop work and that the value is loaded properly at boot
Bug: 326222756
Change-Id: Iea362df98d729ee110b6058c6e5fa6b6ace03d8e
This reverts commit 5e1d7f1c85.
Reason for revert: retry with a fix to the failed tests
Test: atest art_standalone_oatdump_tests
Change-Id: I28872c643ba4ec07ef41b1f9be86036c592a6e4e
In AVF, virtualizationmanager checks the selinux label of given disk
image for proving whether the given image is edited maliciously.
Existing one(vendor_configs_file, /vendor/etc/*) was too wide to use for this purpose.
Bug: 285854379
Test: m
Change-Id: I6c966c92b238a2262d2eb7f41041ed4c359e9e0a
This can be useful, for both platform and app developers, when there
are lots of SELinux violations.
The property is only read by init, so no get_prop macros are needed.
Bug: 304313777
Test: set, `for x in $(seq 100); do ls /cache; done`, observe logs
Reference: Ib5352dcf3a85836ae5544c9feeb5222c97c50ecd
Change-Id: Ib23c008ed89e078a20ae136ba97e853f699e2050
The properties for attestation are congifured in build.prop files and
used by frameworks Build.java.
Allow app to access them from 'adb shell am'
Bug: 296168846
Test: m selinux_policy
Change-Id: Ie749cf5d621c03c21aa538f96a06d21680a61569
Adds persist.syui.notification.ranking_update_ashmem property and
associated permissions, which will be used to flag guard a change in
core/...NotificationRankingUpdate.java.
Permissions are limited in scope to avoid unnecessary access.
Apps may need to read the flag (because NotificationRankingUpdate.java
is a core library), but setting should only be possible internally (and
via debug shell).
Test: manual flash+adb setprop/getprop
Bug: 249848655
Change-Id: I661644893714661d8c8b5553c943fa17d08c000c
A new label for ./apex_manifest.pb and ./ entries in vendor apexes. This
is read-allowed by a few system components which need to read "apex" in
general. For example, linkerconfig needs to read apex_manifest.pb from
all apexes including vendor apexes.
Previously, these entries were labelled as system_file even for vendor
apexes.
Bug: 285075529
Test: m && launch_cvd
Test: atest VendorApexHostTestsCases
Change-Id: Icc234bf604e3cafe6da81d21db744abfaa524dcf
Adds persist.sysui.notification.builder_extras_override property
and associated permissions, which will be used to flag guard
a change in core/...Notification.java.
Permissions are limited in scope to avoid unnecessary access.
Apps may need to read the flag (because Notification.java
is a core library), but setting should only be possible
internally (and via debug shell).
Test: manual flash+adb setprop/getprop
Bug: 169435530
Change-Id: I3f7e2220798d22c90f4326570732a52b0deeb54d
This way, we can change things like the RKP hostname or enablement
from the shell for tests.
Bug: 265196434
Test: manual (adb shell setprop ...)
Change-Id: Ib853eaf29b395705eba57d241df064152220457e
This change gives the shell process the needed permissions to call the
rkp_factory_extraction_tool without also granting the ability to access
the KeyMint HAL service.
To run the tool from a shell accessible folder, push
rkp_factory_extraction_tool to /data/local/tmp with:
adb push out/target/product/<path/to/tool>/rkp_factory_extraction_tool \
/data/local/tmp
Test: the tool can be executed in SELinux enforcing mode
Change-Id: Idebebffa9bb405d527ab37c17030db3999efe3d1
The domain of 'remount' used to be 'system_file', which is
read-executable by 'shell'. However when I submitted aosp/1878144, the
domain of 'remount' became 'remount_exec', and I forgot to allow
'shell' to read-execute the new 'remount_exec' domain.
This makes `adb remount` w/o root to produce sub-par error message:
$ adb remount [-h]
/system/bin/sh: remount: inaccessible or not found
Allow 'shell' to read-execute 'remount_exec', so that the user can get a
proper error message when not running as root, and help (-h) message can
be displayed:
$ adb remount
Not running as root. Try "adb root" first.
$ adb remount -h
Usage: remount ...
Bug: 241688845
Test: adb unroot && adb remount [-h]
Change-Id: I5c105eaffa7abddaf14a9d0120fd6b71749c7977
Limit processes that can change global settings system properties.
Only system server and shell (for tests) should be able to set the
affected system properties.
Bug: 248307936
Test: treehugger only
Change-Id: I20b40cbedc9ad5277d08d033fc9d3ff6df7b7919
from the shell.
This fixes a regression from https://r.android.com/1921457, so that
dex2oat without a path can still be run from the adb shell. That CL
removed the symlink from /system/bin, which means the shell finds it in
/apex/com.android.art/bin instead, and hence it needs to be covered by
this sepolicy.
Test: adb unroot && adb shell dex2oat
Bug: 218986148
Bug: 124106384
Change-Id: Ic52b30e0974829b5e5cde5106e6c4eec9f61eec6
This is intended for wm properties related to wmshell/sysui.
Using this context allows sysui to manipulate these properties
in debug builds.
Bug: 219067621
Test: manual
Change-Id: I5808bf92dbba37e9e6da5559f8e0a5fdac016bf3
This is useful for certain tests. Note that it is already possible to
access these files without root via adb pull, since adbd has
access. Shell also already has access to non-updated APEXes on
/system/apex.
Bug: 220918654
Test: adb unroot; pm install --apex /data/apex/decompressed/X.decompressed.apex
Change-Id: I35725499365b297a64c9005c8e45325531d3991d
Remove some allow rules for odsign, since it no longer directly
modifies CompOs files. Instead allow it to run compos_verify_key in
its own domain.
Grant compos_verify_key what it needs to access the CompOs files and
start up the VM.
Currently we directly connect to the CompOs VM; that will change once
some in-flight CLs have landed.
As part of this I moved the virtualizationservice_use macro to
te_macros so I can use it here. I also expanded it to include
additional grants needed by any VM client that were previously done
for individual domains (and then deleted those rules as now
redundant).
I also removed the grant of VM access to all apps; instead we allow it
for untrusted apps, on userdebug or eng builds only. (Temporarily at
least.)
Bug: 193603140
Test: Manual - odsign successfully runs the VM at boot when needed.
Change-Id: I62f9ad8c7ea2fb9ef2d468331e26822d08e3c828
The shell context can invoke app_process (ART runtime), which in turn
reads odsign_prop to determine whether we determined that the generated
artifacts are valid. Since this was denied until now, app processes
invoked through shell would fall back to JIT Zygote. This is probably
fine, but since fixing the denial is really simple (and not risky), this
option might be preferred over adding it to the bug map.
Bug: 194630189
Test: `adb shell sm` no longer generates a denial
Change-Id: Ia7c10aec53731e5fabd05f036b12e10d63878a30
Also guard all profcollect related entries with userdebug/eng only and
move them into one place.
Test: manual
Bug: 183487233
Bug: 194155753
Change-Id: If3399bb78b60f0367267e67573007ed72508279a
... to connect to the programs running in the guest VM
Bug: 192904048
Test: atest MicrodroidHostTestCases
Change-Id: Iccb48c14ace11cc940bb9ab1e07cc4926182e06e
/apex/apex-info-list.xml is used by ART mainline module, hence it needs
to have CTS test for it. Giving adbd and shell read-only permission
allows us to write host-driven CTS test that pull
/apex/apex-info-list.xml from the device and inspects it's content.
Similar (albeit not exactly the same information) is already available
via PackageManager APIs/PackageManager shell command.
Bug: 190185664
Test: m
Test: adb shell cat /apex/apex-info-list.xml
Change-Id: Ib7f2ca79a7493f8cd40d0c419569e85135f6bbda
Enables CTS testing of the bootstrap apexes.
Bug: 186767843
Test: adb shell cat bootstrap-apex-info-list.xml works without root
Change-Id: Icf56d32d296f5a42160dbd9ea90a89c8b4db6aa7
These are moved to packages/modules/Virtualization.
Bug: 189165759
Test: boot device and microdroid
Test: atest MicrodroidHostTestCases
Change-Id: I050add7fef56ced4787117f338e7b5d1fda1c193
Microdroid_manager is an executable in microdroid. It's role is to manage tasks
in microdroid and communicate with host's virtualizationservice.
To execute a task in microdroid, microdroid_manager should
- read "metadata" partition
- read VM payload config
- exec a command
Bug: 189301496
Test: atest MicrodroidHostTestCases
Change-Id: Iabbe0d3c8832f00df5c545e6b13fc55afa820b33
Microdroid_launcher is an executable in microdroid. It's role is to load
a shared library in an APK that is shared from the host Android and
execute it by calling an entry point (android_native_main) in it.
For now, it is executed from shell, but will eventually be executed from
a binder service (which also is running in microdroid) called
microdroid_manager.
Bug: 188513012
Test: atest MicrodroidHostTestCases
Change-Id: I150a958c1ed0e3e960f4b4b577e808e54e898644
Allow the MediaProvider app to write the system property
fuse.passthrough.enabled in case FUSE passthrough is enabled.
The need for this additional system property is due to the ScopedStorage
CTS tests that are assuming FUSE passtrhough is always on for devices
supporting it, but there may be some cases (e.g., GSI mixed builds)
where this is not possible true and the feature is disabled at runtime,
thus causing the tests to fail.
This additional system property is only set when FUSE passthrough is
actually being used by the system.
Bug: 186635810
Test: CtsScopedStorageDeviceOnlyTest
Signed-off-by: Alessio Balsini <balsini@google.com>
Change-Id: I623042d67399253a9167188c3748d93eb0f2d41f
* Permits setting the sys.drop_caches property from shell.
* Permits init to read and write to the drop_caches file.
* Can only be set to 3 (drop_caches) and 0 (unset).
Bug: 178647679
Test: flashed user build and set property; no avc denials.
Test: flashed userdebug build and dropped caches w/o root.
Change-Id: Idcedf83f14f6299fab383f042829d8d548fb4f5d
This property is set to true in rollback tests to prevent
fallback-to-copy when enabling rollbacks by hard linking.
This gives us insights into how hard linking fails where
it shouldn't.
Bug: 168562373
Test: m
Change-Id: Iab22954e9b9da21f0c3c26487cda60b8a1293b47
